Nick Jeswald - Confessions of a Cybersecurity Recruiter (Part 1)


Manage episode 245022289 series 2459098
By Ayman Elsawah and Ayman Elsawah (@coffeewithayman). Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

RECAST Any part of this episode:

Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.


I've been in infosec for 8 years, and in various IT roles since 1996. Developer -> Sales Engineer -> BD Specialist -> Security BD -> Security Recruiting -> Dir. Corp Dev. However, whatever role I've had, I've also been one of the top recruiters for each company I worked at.

Show Notes:

  • Internal recruiters != external recruiters
    • Backgrounds are different
      • External recruiters come from varied backgrounds, virtually zero from infosec
        • Much like BD people
      • Internal recruiters are more likely to have a greater understanding of infosec or at least IT
      • A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
    • Motivations are far different
      • I want to choose people to spend a career with
      • They want to make a commission and meet SLAs
    • Attention to detail is very different
      • A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
      • I have an interest in understating the person, not just the resume
        • What is their desired career/life trajectory?
        • How will our company enrich/hinder that life?
  • You are in competition with an army of low-skilled counterfeits
    • You need to be able to demonstrate raw skills, not just list your certs
    • Have a body of work available for review on GitHub, your own site, etc.
    • Internships are a nice touch, but they cut both ways
      • You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
    • Can't talk about where you interned because it was a non-DOD three letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
  • Always be client facing
    • I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
      • You couldn't act like this on a client site and not get sent home; don't do it on the interview
      • Yes, you are talented...there's always someone cooler than you
  • Interview your interviewers
    • You should have a standing list of questions for interviewers
      • Why do you stay with them?
      • What is the intended growth path? Organic? IPO? Channel?
      • Is there any merger/acquisition activity going on? Planned? Intended impact?
      • Is there any rebranding activity going on? Planned? Intended impact?
      • What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
      • Will I be supported in my security research? How?
      • Does your company have a defined mentoring path? Why not?
      • How does the company support continuing infosec education?
  • Meet your team
    • Watch the team interaction closely
    • Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
  • Understand the org chart you are stepping into
    • To whom does security answer? CXX? IT Director? General Counsel?
      • Understanding this will help mitigate surprises later
  • Understand the company culture
    • Big corp? Big corp problems.
    • Boutique? Founder problems.
    • Is there a "tree house" mentality among the senior employees?
  • Never forget who you are
    • I know you want a job, but don't take a job that is sure to kill you slowly from the inside
      • Like doing offensive security? Don't start in the SOC.
    • Did you walk away from the interview(s) thinking that this company understands the care & feeding of hackers?
    • If you can already see the point at which you will outgrow the company, is it the right place to start?
      • Maybe! If you have a goal of entrepreneurship, or of working for a specific team, this first step just needs to support that eventual goal. This may be detected by an astute interviewer, though.
  • Resume tips
    • One page.
      • My dad started at the bottom, and worked up to EVP of a Fortune 50 corp. One page.
    • Focus on your relevant work experiences and extracurricular infosec work
    • I'd rather read about 0days and CVEs than certs
    • I want to know about your community involvement
      • 2600, local DCs, TOOOL, OWASP, etc.
      • Presentations at cons matter to me, especially if I can watch you deliver information to an audience
        • Like a free audition, and believe me I watch every one people link in resumes
    • I don't care about your GPA, fraternity/sorority, who we know in common, what sports you enjoy, or what you look like. At all.
      • Seriously, don't add a photo.
  • General tips
    • Code. Know it. In several languages.
      • Despite semantic differences, you should have a pretty good working knowledge of the most widespread VMs, coding languages, and compilers
    • Web apps are your paycheck
      • Knowing the OWASP Top 10 is like knowing your middle name...not impressive in and of itself, but if you don't know them, there's something wrong.
      • Many composite "red team" projects will involve some Web app hacking, and even the most specialized consultancies will agree to a Web app assessment for an established client
  • Think holistically, and make yourself more valuable
    • If you can't write a report, of what value are your assessment activities?
    • Seem to always have interpersonal conflict? Time to read up on Empathy and EQ. Be the go-to on your squad.
    • Get comfortable with an audience. Toastmasters is there for you.
  • Learn the value of "the Halloween Mask" as Henry Rollins called it
    • Sure, you're a young security professional. We all expect eccentricity from you. We're all also trying to make money and be taken seriously
      • Don't forget: in boardrooms of white haired old men across the nation, we're still the same guys who lost them millions of dollars on ERPs and useless Y2K preparations
      • I'm not kidding about this.
    • Don't wield your difference like a blunt object. A little bit goes a long way when you're also scaring the hell out of everyone with pen test reports.
    • My life is far more complex and wacky than my coworkers know, and I talk a lot. I just know how much to let through the mask.

Getting Into Infosec:

Follow Me on Twitter:

Subscribe To YouTube:

Checkout My Book:

Sign up for updates and commentary:


54 episodes